We've made a little change to the way we configure Z/IP ONEs before they leave the factory. Even if you're not in the market for an IP codec now—heck, even if you're not a Telos customer—this change is something you should contemplate.
In recent months, the last thing our technicians do before boxing up a new Z/IP ONE will be to change the password needed to access the web page. Each new codec will receive a unique password, based on characteristics that cannot be discovered from the network side, but which are easily seen by the user. An instruction card accompanying each new device will describe how to access the web page.
Why is this important? There is a new category of "Internet of Things" search engines specifically designed to locate and catalog standalone devices placed on the internet. Bot nets scan the entire IPv4 address space, every day, looking for open and commonly used ports. Port 80, used by http, is one of the most commonly used ports. A neglected web server, such as the one hosted on almost all network-enabled broadcast equipment, with a default or easily discoverable password, will likely eventually draw the sort of attention you'd rather avoid.
Why else is this important? It represents what a small step one can take in order to increase security.
What else can you do?
- Always place your Z/IP ONE behind a firewalled NAT, forwarding only the ports you need to the Z/IP ONE and other equipment.
- Translate forwarded ports to be nonstandard on the WAN side - that is, forward a strange external port like 12808 to internal port 80 to access the web server.
- Bookmark your equipment's web pages so that you don't have to remember a bevy of strange numbers.
- Change the default password from the one we provide to a truly unique one.
- Use password managers, many of which have provisions for sharing some passwords with individuals or within an organization. This will allow you to use very strong, truly unique passwords on all your equipment and accounts.
- Restrict physical access to the device so that an unauthorized user cannot see or change passwords (or other settings).
Security is hard. Risk management always is. The above list is hardly exhaustive, yet each step adds another layer of safety to help ensure that you stay on the air and uninterrupted.
About the author
Jason Wisnieski has been a member of the Telos Alliance engineering team since 1999. As a developer, he has contributed primarily to telephony and codec products. Jason presently serves as Engineering Manager for Codecs, managing the Z/IP ONE codec and Nx series telephony products.